mirror of
https://github.com/Security-Onion-Solutions/securityonion.git
synced 2025-12-06 09:12:45 +01:00
more requires on docker containers
This commit is contained in:
m0duspwnens
@@ -45,8 +45,6 @@ so-domainstatsimage:
|
||||
|
||||
so-domainstats:
|
||||
docker_container.running:
|
||||
- require:
|
||||
- so-domainstatsimage
|
||||
- image: {{ MANAGER }}:5000/{{ IMAGEREPO }}/so-domainstats:{{ VERSION }}
|
||||
- hostname: domainstats
|
||||
- name: so-domainstats
|
||||
@@ -55,6 +53,7 @@ so-domainstats:
|
||||
- /opt/so/log/domainstats:/var/log/domain_stats
|
||||
- require:
|
||||
- file: dstatslogdir
|
||||
- cmd: so-domainstatsimage
|
||||
|
||||
append_so-domainstats_so-status.conf:
|
||||
file.append:
|
||||
|
||||
@@ -25,9 +25,10 @@
|
||||
{% from 'filebeat/map.jinja' import SO with context %}
|
||||
{% set ES_INCLUDED_NODES = ['so-eval', 'so-standalone', 'so-managersearch', 'so-node', 'so-heavynode', 'so-import'] %}
|
||||
|
||||
include:
|
||||
- ssl
|
||||
#only include elastic state for certain nodes
|
||||
{% if grains.role in ES_INCLUDED_NODES %}
|
||||
include:
|
||||
- elasticsearch
|
||||
{% endif %}
|
||||
|
||||
@@ -66,7 +67,7 @@ fileregistrydir:
|
||||
- makedirs: True
|
||||
|
||||
# This needs to be owned by root
|
||||
filebeatconfsync:
|
||||
filebeatconf:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/filebeat/etc/filebeat.yml
|
||||
- source: salt://filebeat/etc/filebeat.yml
|
||||
@@ -78,7 +79,7 @@ filebeatconfsync:
|
||||
OUTPUT: {{ salt['pillar.get']('filebeat:config:output', {}) }}
|
||||
|
||||
# Filebeat module config file
|
||||
filebeatmoduleconfsync:
|
||||
filebeatmoduleconf:
|
||||
file.managed:
|
||||
- name: /opt/so/conf/filebeat/etc/module-setup.yml
|
||||
- source: salt://filebeat/etc/module-setup.yml
|
||||
@@ -135,7 +136,14 @@ so-filebeat:
|
||||
{% endfor %}
|
||||
{% endfor %}
|
||||
- watch:
|
||||
- file: /opt/so/conf/filebeat/etc/filebeat.yml
|
||||
- file: filebeatconf
|
||||
- require:
|
||||
- file: filebeatconf
|
||||
- file: filebeatmoduleconf
|
||||
- file: filebeatmoduledir
|
||||
- x509: filebeat_crt
|
||||
- x509: filebeat_key
|
||||
- x509: trusttheca
|
||||
|
||||
{% if grains.role in ES_INCLUDED_NODES %}
|
||||
run_module_setup:
|
||||
|
||||
@@ -17,6 +17,7 @@
|
||||
|
||||
|
||||
include:
|
||||
- ssl
|
||||
- mysql
|
||||
|
||||
# Fleet Setup
|
||||
@@ -136,6 +137,9 @@ so-fleet:
|
||||
- /opt/so/conf/fleet/packs:/packs
|
||||
- watch:
|
||||
- /opt/so/conf/fleet/etc
|
||||
- require:
|
||||
- x509: fleet_key
|
||||
- x509: fleet_crt
|
||||
|
||||
append_so-fleet_so-status.conf:
|
||||
file.append:
|
||||
|
||||
@@ -132,6 +132,8 @@ so-grafana:
|
||||
- 0.0.0.0:3000:3000
|
||||
- watch:
|
||||
- file: /opt/so/conf/grafana/*
|
||||
- require:
|
||||
- file: grafana-config
|
||||
|
||||
append_so-grafana_so-status.conf:
|
||||
file.append:
|
||||
|
||||
@@ -17,6 +17,8 @@
|
||||
include:
|
||||
- salt.minion
|
||||
- salt.python3-influxdb
|
||||
- ssl
|
||||
|
||||
# Influx DB
|
||||
influxconfdir:
|
||||
file.directory:
|
||||
@@ -60,6 +62,10 @@ so-influxdb:
|
||||
- 0.0.0.0:8086:8086
|
||||
- watch:
|
||||
- file: influxdbconf
|
||||
- require:
|
||||
- file: influxdbconf
|
||||
- x509: influxdb_key
|
||||
- x509: influxdb_crt
|
||||
|
||||
append_so-influxdb_so-status.conf:
|
||||
file.append:
|
||||
|
||||
@@ -51,6 +51,8 @@ so-logscan:
|
||||
- /opt/so/log/logscan:/logscan/output:rw
|
||||
- /opt/so/log:/logscan/logs:ro
|
||||
- cpu_period: {{ logscan_cpu_period }}
|
||||
- require:
|
||||
- file: logscan_conf
|
||||
{% else %}
|
||||
- force: true
|
||||
{% endif %}
|
||||
|
||||
@@ -45,6 +45,7 @@
|
||||
{% endif %}
|
||||
|
||||
include:
|
||||
- ssl
|
||||
- elasticsearch
|
||||
|
||||
# Create the logstash group
|
||||
@@ -162,9 +163,7 @@ so-logstash:
|
||||
{% endfor %}
|
||||
- binds:
|
||||
- /opt/so/conf/elasticsearch/templates/:/templates/:ro
|
||||
- /opt/so/conf/logstash/etc/log4j2.properties:/usr/share/logstash/config/log4j2.properties:ro
|
||||
- /opt/so/conf/logstash/etc/logstash.yml:/usr/share/logstash/config/logstash.yml:ro
|
||||
- /opt/so/conf/logstash/etc/pipelines.yml:/usr/share/logstash/config/pipelines.yml
|
||||
- /opt/so/conf/logstash/etc/:/usr/share/logstash/config/:ro
|
||||
- /opt/so/conf/logstash/pipelines:/usr/share/logstash/pipelines:ro
|
||||
- /opt/so/rules:/etc/nsm/rules:ro
|
||||
- /nsm/import:/nsm/import:ro
|
||||
@@ -181,7 +180,6 @@ so-logstash:
|
||||
{% endif %}
|
||||
- /opt/so/conf/ca/cacerts:/etc/pki/ca-trust/extracted/java/cacerts:ro
|
||||
- /opt/so/conf/ca/tls-ca-bundle.pem:/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem:ro
|
||||
- /etc/pki/ca.cer:/ca/ca.crt:ro
|
||||
{%- if grains['role'] == 'so-eval' %}
|
||||
- /nsm/zeek:/nsm/zeek:ro
|
||||
- /nsm/suricata:/suricata:ro
|
||||
@@ -201,6 +199,16 @@ so-logstash:
|
||||
{% for TEMPLATE in TEMPLATES %}
|
||||
- file: es_template_{{TEMPLATE.split('.')[0] | replace("/","_") }}
|
||||
{% endfor %}
|
||||
- require:
|
||||
- x509: filebeat_crt
|
||||
- x509: filebeat_key
|
||||
{% if grains['role'] == 'so-heavynode' %}
|
||||
- x509: trusttheca
|
||||
{% else %}
|
||||
- x509: pki_public_ca_crt
|
||||
{% endif %}
|
||||
- file: cacertz
|
||||
- file: capemz
|
||||
|
||||
append_so-logstash_so-status.conf:
|
||||
file.append:
|
||||
|
||||
@@ -67,8 +67,9 @@ removeesp12dir:
|
||||
- name: /etc/pki/elasticsearch.p12
|
||||
- onlyif: "[ -d /etc/pki/elasticsearch.p12 ]"
|
||||
|
||||
/etc/pki/influxdb.key:
|
||||
influxdb_key:
|
||||
x509.private_key_managed:
|
||||
- name: /etc/pki/influxdb.key
|
||||
- CN: {{ manager }}
|
||||
- bits: 4096
|
||||
- days_remaining: 0
|
||||
@@ -85,8 +86,9 @@ removeesp12dir:
|
||||
interval: 30
|
||||
|
||||
# Create a cert for the talking to influxdb
|
||||
/etc/pki/influxdb.crt:
|
||||
influxdb_crt:
|
||||
x509.certificate_managed:
|
||||
- name: /etc/pki/influxdb.crt
|
||||
- ca_server: {{ ca_server }}
|
||||
- signing_policy: influxdb
|
||||
- public_key: /etc/pki/influxdb.key
|
||||
@@ -161,8 +163,9 @@ rediskeyperms:
|
||||
{% endif %}
|
||||
|
||||
{% if grains['role'] in ['so-manager', 'so-eval', 'so-helix', 'so-managersearch', 'so-standalone', 'so-import', 'so-heavynode'] %}
|
||||
/etc/pki/filebeat.key:
|
||||
filebeat_key:
|
||||
x509.private_key_managed:
|
||||
- name: /etc/pki/filebeat.key
|
||||
- CN: {{ COMMONNAME }}
|
||||
- bits: 4096
|
||||
- days_remaining: 0
|
||||
@@ -179,8 +182,9 @@ rediskeyperms:
|
||||
interval: 30
|
||||
|
||||
# Request a cert and drop it where it needs to go to be distributed
|
||||
/etc/pki/filebeat.crt:
|
||||
filebeat_crt:
|
||||
x509.certificate_managed:
|
||||
- name: /etc/pki/filebeat.crt
|
||||
- ca_server: {{ ca_server }}
|
||||
- signing_policy: filebeat
|
||||
- public_key: /etc/pki/filebeat.key
|
||||
@@ -201,7 +205,7 @@ rediskeyperms:
|
||||
cmd.run:
|
||||
- name: "/usr/bin/openssl pkcs8 -in /etc/pki/filebeat.key -topk8 -out /etc/pki/filebeat.p8 -nocrypt"
|
||||
- onchanges:
|
||||
- x509: /etc/pki/filebeat.key
|
||||
- x509: filebeat_key
|
||||
|
||||
|
||||
fbperms:
|
||||
@@ -427,8 +431,9 @@ msslkeyperms:
|
||||
- group: 939
|
||||
|
||||
# Create a private key and cert for OSQuery
|
||||
/etc/pki/fleet.key:
|
||||
fleet_key:
|
||||
x509.private_key_managed:
|
||||
- name: /etc/pki/fleet.key
|
||||
- CN: {{ manager }}
|
||||
- bits: 4096
|
||||
- days_remaining: 0
|
||||
@@ -444,8 +449,9 @@ msslkeyperms:
|
||||
attempts: 5
|
||||
interval: 30
|
||||
|
||||
/etc/pki/fleet.crt:
|
||||
fleet_crt:
|
||||
x509.certificate_managed:
|
||||
- name: /etc/pki/fleet.crt
|
||||
- signing_private_key: /etc/pki/fleet.key
|
||||
- CN: {{ manager }}
|
||||
- subjectAltName: DNS:{{ manager }},IP:{{ managerip }}
|
||||
@@ -476,8 +482,9 @@ fbcertdir:
|
||||
- name: /opt/so/conf/filebeat/etc/pki
|
||||
- makedirs: True
|
||||
|
||||
/opt/so/conf/filebeat/etc/pki/filebeat.key:
|
||||
filebeat_key:
|
||||
x509.private_key_managed:
|
||||
- name: /opt/so/conf/filebeat/etc/pki/filebeat.key
|
||||
- CN: {{ COMMONNAME }}
|
||||
- bits: 4096
|
||||
- days_remaining: 0
|
||||
@@ -486,7 +493,7 @@ fbcertdir:
|
||||
- new: True
|
||||
{% if salt['file.file_exists']('/opt/so/conf/filebeat/etc/pki/filebeat.key') -%}
|
||||
- prereq:
|
||||
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.crt
|
||||
- x509: filebeat_crt
|
||||
{%- endif %}
|
||||
- timeout: 30
|
||||
- retry:
|
||||
@@ -494,8 +501,9 @@ fbcertdir:
|
||||
interval: 30
|
||||
|
||||
# Request a cert and drop it where it needs to go to be distributed
|
||||
/opt/so/conf/filebeat/etc/pki/filebeat.crt:
|
||||
filebeat_crt:
|
||||
x509.certificate_managed:
|
||||
- name: /opt/so/conf/filebeat/etc/pki/filebeat.crt
|
||||
- ca_server: {{ ca_server }}
|
||||
- signing_policy: filebeat
|
||||
- public_key: /opt/so/conf/filebeat/etc/pki/filebeat.key
|
||||
@@ -519,7 +527,7 @@ filebeatpkcs:
|
||||
cmd.run:
|
||||
- name: "/usr/bin/openssl pkcs8 -in /opt/so/conf/filebeat/etc/pki/filebeat.key -topk8 -out /opt/so/conf/filebeat/etc/pki/filebeat.p8 -passout pass:"
|
||||
- onchanges:
|
||||
- x509: /opt/so/conf/filebeat/etc/pki/filebeat.key
|
||||
- x509: filebeat_key
|
||||
|
||||
filebeatkeyperms:
|
||||
file.managed:
|
||||
@@ -585,8 +593,9 @@ msslkeyperms:
|
||||
- group: 939
|
||||
|
||||
# Create a private key and cert for Fleet
|
||||
/etc/pki/fleet.key:
|
||||
fleet_key:
|
||||
x509.private_key_managed:
|
||||
- name: /etc/pki/fleet.key
|
||||
- CN: {{ manager }}
|
||||
- bits: 4096
|
||||
- days_remaining: 0
|
||||
@@ -602,8 +611,9 @@ msslkeyperms:
|
||||
attempts: 5
|
||||
interval: 30
|
||||
|
||||
/etc/pki/fleet.crt:
|
||||
fleet_crt:
|
||||
x509.certificate_managed:
|
||||
- name: /etc/pki/fleet.crt
|
||||
- signing_private_key: /etc/pki/fleet.key
|
||||
- CN: {{ HOSTNAME }}
|
||||
- subjectAltName: DNS:{{ HOSTNAME }}, IP:{{ MAINIP }} {% if CUSTOM_FLEET_HOSTNAME != None %},DNS:{{ CUSTOM_FLEET_HOSTNAME }} {% endif %}
|
||||
|
||||
Reference in New Issue
Block a user